In my last blog, I reviewed the benefits of ERM. That means you are probably hungry to sit down and take on a risk management initiative. But analyzing risks, setting controls, ensuring communication, and monitoring progress takes time and effort. Like serving any large, multi-course meal, ERM projects can be large, intimidating, tough to coordinate, and difficult to digest.
In tackling an enterprise risk management rollout, breaking down the project is essential for success.
The Five-Course Menu (or Project Plan)
Every multi-course dinner starts with a menu plan. Each course is reviewed, and then the assigned ingredients, preparation, and cooking times are shaped by the chef's culinary vision. Similarly, the ERM manager should start with a general overview of the ERM process and set out the specific steps required to realize the company's vision and goals.
Over the next few months, this blog will examine each major component of the ERM process in greater detail. First, here is a menu of the basic steps of ERM—in five delicious courses.
The Starter: Identifying Current and Emerging Risks
Hors d'oeuvres or appetizers are designed to excite the taste buds and prepare guests for the coming feast. They are a fundamental first step in showcasing the chef's gastronomic talents and introduce a “theme” for the full culinary presentation.
In ERM terms, the first course is identifying current and emerging risks. The identification process often starts on a small scale, with face-to-face interviews. Groups of key managers and staff are asked about root causes and drivers of risks in their particular areas.
Next, the ERM team will look at any connected or similar risks that might affect multiple departments. The review may increase in complexity. The company can conduct surveys, review news, research industry press, and retain experts and consultants. A harvest of potential risks will be gathered, sliced and diced, and main groups of risk bucketed and blended. Even the smallest tidbits of information gleaned here can reveal patterns and trends of loss not previously appreciated.
Read More Risk Management Insights From Denise Tessier
This is a fundamental step, designed to form the basis for the entire ERM plan, and can whet the appetite for future ERM work. Often, participants get their first real taste of the magnitude and financial impact of risk in such interviews. As new ideas and risks come to light, participants may begin to realize how vulnerability in their areas of responsibility might impact the company on a greater scale. New, interesting flavors are added to responsibilities already on their plates.
The identification course also can introduce a “theme” for the overall ERM project. The company begins to educate all staff about ERM principles early in the process. The instructions given; the questions and answers elicited; and the information gathered at this stage can leave an impression. With care, that impression will be that the company is serious about risk management, it sees ERM as a collaborative effort, and is committed to developing a sustainable, long-term approach. ERM is not fast food.
NEXT: The Salad and the Sorbet
The Salad: Using Metrics to Assess Frequency and Severity
The purpose of a salad in a multi-course meal is to add something that the main entrée itself may lack—be it a certain flavor, texture, color, or nutritional base. Salads complement and complete the dining experience.
Metrics could be considered the “salad” of ERM—something that complements and completes the risk analysis process. A company that has catalogued its risks and has established some controls to manage them has accomplished a major step toward mitigating future losses. But it is not quite enough.
Adding the extra step of developing metrics allows a company to rank its risks by significance, and prioritize its resources and activities around the most dangerous risks and the most beneficial controls. It also provides some objective, quantitative measurements of specific risks against an organization's risk appetite, the statement of a company's willingness to assume a degree of risk in pursuing opportunities.
In this phase, companies assess the frequency of a potential risk—how often could the event or loss happen? They also measure severity—how bad could the event or a loss be? Other metrics can also be used, such as the duration of an event or loss and the development time for that risk or loss. Taking the time for these kinds of assessments helps with risk avoidance or mitigation.
Of import, the key feature of any ERM program is to set standard scales/metrics for evaluation of different kinds of risk across different business divisions, so that they can be compared on an “apples-to-apples” basis. Measuring risks in standard formats ultimately enables the company to make more comprehensive and strategic decisions. Metrics make an ERM program complete.
The Sorbet: Risk Reporting, Monitoring & Adjustment
Sorbet is often served between courses as a way to cleanse the palate before the main dish, an intermezzo between more intense courses that freshens the taster's perspective.
ERM programs must also have planned pauses for participants to evaluate prior work. The world of risk is constantly changing. In ERM, risk reporting and monitoring will be scheduled on a regular basis, so that risks can be reviewed, re-ranked, and controls can be tested. Risks become more or less significant to a company over time, others are newly identified. Building time into the overall process to appreciate and critique what has passed, address needed changes, and prepare for the next course refreshes perspective on risk.
NEXT: The Main Entree and Dessert
The Main Course: Setting Effective Controls
A well-planned main dish is the heartiest course and is the highlight of a meal. Preceding courses are designed to steadily increase appetite, culminating in a solid, satisfying entrée.
ERM's main course is effective controls. It is the ultimate goal of an ERM program to establish a suite of specific techniques, policies, and procedures to reduce or mitigate identified risks as much as possible. While they won't operate to eliminate 100 percent of all risk, well-developed, sustainable controls will have a direct financial impact on a company. Controls can make or break a company, as is being recognized by such industry gourmet critics as state and federal regulators, rating agencies, and shareholders. Solid controls satisfy reviewers.
Dessert: Strategic Analysis
For a professional chef, dessert serves an important purpose, either reviving the palate or facilitating digestion. For the diner, dessert is pure pleasure. In either case, a superb dessert can make the entire meal truly memorable, adding that extra something special.
Strategic analysis is the icing on the cake for many ERM programs. Strategic analysis is the process of weighing whether potential gains will outbalance losses in a proposed course of action. Once main controls are established and operating smoothly to mitigate the “downside” of risk, a company can push its analyses to a new level, allowing it to more fully address the “upside” of risk: opportunities.
Using ERM to perform strategic analysis can help decision-making on some very practical issues. For example, how much capital should a company hold in reserves to cover some of its key risks? Should the company enter into a new line of business or develop a new product or market? Strategic analysis adds that extra special something to the ERM process.
Menu Planning Tips
When integrating these courses into a new ERM project, here is some advice to take away:
“Keep it simple, and make it tasty.” –Gordon Ramsey
Gordon's kitchen mantra is to offer fewer, simpler options for a meal—but use high quality ingredients—to make a stronger impression. In ERM, remember that it is okay to keep it simple, particularly in the early days. A company new to the ERM process may want to taste the sauce and perfect its methodologies with a limited population of risks, selected lines of business, or a targeted group of staff, before rolling out a major new ERM protocol or system to a large population too quickly.
“Focus on the guests, not just the food.” –Martha Stewart
ERM is not just a theoretical model or fancy computer system. It is a method of reviewing risks with input from many people across an organization. ERM efforts should be primarily focused on communication among people—eliciting input from many levels, sharing of information across former “silos” of individual business units, and reporting information to decision-makers. All your customers need to be satisfied.
“The only real stumbling block is fear of failure. In cooking you've got to have a 'What the hell?' attitude.” –Julia Child
Don't be afraid of trying ERM and experimenting with different analysis methods, metrics, strategic applications, and the like. ERM should be a flexible and forgiving process, which changes with the times. Today, there are many tools and systems that give companies the freedom to flavor ERM to their unique needs and tastes. Take that first bite!
Want to continue reading?
Become a Free PropertyCasualty360 Digital Reader
Your access to unlimited PropertyCasualty360 content isn’t changing.
Once you are an ALM digital member, you’ll receive:
- Breaking insurance news and analysis, on-site and via our newsletters and custom alerts
- Weekly Insurance Speak podcast featuring exclusive interviews with industry leaders
- Educational webcasts, white papers, and ebooks from industry thought leaders
- Critical converage of the employee benefits and financial advisory markets on our other ALM sites, BenefitsPRO and ThinkAdvisor
Already have an account? Sign In Now
© 2025 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.